Sponsored by..

Showing posts with label Latvia. Show all posts
Showing posts with label Latvia. Show all posts

Monday, 17 April 2017

Malware spam: "RE: RE: ftc refund" / secretary@ftccomplaintassistant.com

This fake FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC fine, but this is almost definitely a coincidence.

From:    Federal Trade Commission [secretary@ftccomplaintassistant.com]
Date:    17 April 2017 at 15:25
Subject:    RE: RE: ftc refund


It seems we can claim a refund from the FTC.
Check this out and give me a call.
https://www.ftc.gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ftccomplaintassistant.com
212-0061570

The link in the email actually goes to a URL beginning http://thecomplete180.com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 (so for president@whitehouse.gov it would be http://thecomplete180.com/view.php?id=NjI4MXByZXNpZGVudEB3aGl0ZWhvdXNlLmdvdjU0MzQ=)

Obviously this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56. The Word document itself tries to persuade victims to enable macros, which would be a bad idea.


Automated analysis [1] [2] shows network traffic to:

wasstalwihis.com/bdk/gate.php
littperevengpa.com/ls5/forum.php
littperevengpa.com/mlu/forum.php
littperevengpa.com/d1/about.php
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/a1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/2


It also appears to start sending traffic via Tor, which is a good reason to monitor Tor on your network. All sorts of files are dropped, most of which don't seem to be particularly malicious. "Gate.php" indicates a Pony downloader, but this does look like a tricky bugger.

Out of the domains contacted, littperevengpa.com and wasstalwihis.com shared the same registrant details and look fairly evil. We can associate the same registrant with the following domains:

soinwarep.com
ronwronsednot.com
withwasnothar.com
dingandrinfe.com
troverylit.com
derby-au.com
utonerutoft.com
situghlacsof.com
tinjecofsand.com
fortotrolhec.com
fydoratot.com
redwronwassdo.com
ronkeddari.com
littperevengpa.com
suranfortrep.com
newbillingplace.com
usps-daily-delivery.com
ringcentral-fax-inbox.com
wassheckgehan.com
wasstalwihis.com
meredondidn.com
satertdiut.com
vernothesled.com
veuntedund.com
ranwithtorsdo.com
notwipaar.com
dintrogela.com
adp-monthly-billling.com
rigakeddo.com
random-billing.com
hetoftinbut.com
hemlittratdidn.com

Perhaps more usefully, we can associate that registrant with the following IPs:

178.170.189.254 [hostname: nejokexulag.example.com] (Servachok Ltd, Russia)
185.146.1.4 (PS Internet Company LLC, Kazakhstan)
185.48.56.63 (Sinarohost, Netherlands)
185.80.53.76 (HZ Hosting, Bulgaria)
188.127.237.232 (SmartApe, Russia)
193.105.240.2 (Sia Vps Hosting, Latvia)
194.1.239.63 [hostname: nejokexulag.example.com] (Internet Hosting Ltd, Russia)
195.54.163.94 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
212.116.113.108 (Prometey Ltd, Russia)
46.148.26.87 [hostname: nejokexulag.infium.net] (Infium UAB, Ukraine)
47.90.202.88 (Alibaba.com, China)
77.246.149.100 [hostname: nejokexulag.e-vds.ru] (E-planet Ltd, Russia)
87.118.126.207 (Keyweb AG, Germany)
88.214.236.158 (Overoptic Systems, Russia)
91.230.211.67 [hostname: nejokexulag.freeopti.ru] (Optibit LLC, Russia)
93.189.43.36 (NTCOM, Russia)

This gives us a pretty useful minimum blocklist:

178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36




Tuesday, 11 April 2017

Pump and dump spam: Quest Management Inc (QSMG) stock

Following on from last month's INCT pump and dump spam the Necurs botnet is now promoting a Latvian company Quest Management Inc (QSMG) instead.

From:    Jenna Goff
Date:    11 April 2017 at 13:37
Subject:    FDA approval is about to send this stock up fifty fold

Why is Quest Management (Symbol: QSMG) guaranteed to jump 5,000% this month?

They have a cure for cancer.

This biotech is run by some of the most prolific scientists in America. Together, they have more than 400 years of experience in the field and have more diplomas than we can even imagine.

Cancer kills 1 out of 4 people in our country and we have all been affected by it either directly or indirectly.

Who doesn't know someone who's died from it?

The company's scientists are targeting cancer using stem cells. They are able to identify the bad cells and destroy them without radiating the entire body (like is common with chemo).

Apart from saving millions of lives, their treatment will surely become the No1 selling drug on earth.

The company has already made serious headway thanks to nearly two decades of research.

This cutting edge biotech company has completed animal trials successfully and just wrapped up FDA-approved human trials last week.

The next step is the public announcement of those results, which we hear through the grapevine have beat all expectations and will change the world of medicine forever.

The results will be announced this month, and once they are out the stock will jump to $25 a share overnight and will continue up to $50 or more quickly after.

"Quest"'s biotech arm could have a cancer cure that can be totally effective in killing tumors in more than 40% of patients worldwide available in hospitals throughout the globe by the end of the year.

Once that happens, we're talking about a $1000 a share stock.

We're literally coming in at the last mile, out of no where, and grabbing profits from their last 2 decades of hard work.

Consider buying QSMG right now while it's still at under 5 dollars and make sure to tell all your friends to do the same before the price explodes.
You can guarantee that the promise of a future big payout is a lie. For comparison, the INCT stock promoted last month crashed from 13 cents to 3 cents now and the promised buy-out of that company never happened.

But surely this is different? QSMG stock went up 60% yesterday..

Well, as you can see from the chart.. it took a sudden dive and then shot up again. It looks like someone sold 26,000 shares and maybe more (maybe at a discount last week), followed by a small purchase of just 100 shares at apparently a higher price. A casual passer-by might think that that was someone trying to manipulate the stock price.


Financials indicate that QSMG has never really done much in the way of business, and the stock price nosedived from an epic $2000 a share a year ago to less than $2 today.


Market cap is currently quoted at $119m with 70 million shares outstanding, which is a lot for a company with a turnover of a few thousand dollars a quarter. There's a 1000:1 reverse split in there from October. So a year ago, the company appears to have been valued at an even more insane amount.

Probably utterly coincidentally, an agreement was recently made for a legitimate US investment company to acquire 46 million shares of QSMG. Perhaps someone else holding QSMG stock is looking for a payday?

Anyway.. most stocks promoted by pump and dump spam crash and burn. Buying stocks based on a tip from an illegal spam run would be extremely unwise in my personal opinion.

UPDATE 1

We'll probably see several different versions of this illegal botnet-driven spam. Here is the second one..

From:    Lottie Nash
Date:    11 April 2017 at 19:31
Subject:    This biotech has developed a cure for cancer and its shares are soaring.

One of my friends at Goldman told me to buy QSMG this morning.

He is an expert at this stuff and has never let me down before. After researching the company, it seems that he may be right.

I am going to buy 5,000 shares now because it's all I can afford, but you should buy as little or as many as you possibly can...

Their biotech arm, Stemvax has developed a cure for cancer and just completed successful human trials under the FDA's supervision.

The stock has jumped 3X already since last week and is guaranteed to go to at least 20 dollars this month based on his research.

Once QSMG's official announcements for the cure become public, there's no saying how high their share price will go.

I expect some very serious stuff to be announced in the coming 2 weeks. Act quickly so you don't miss out.

UPDATE 2

Another one. Incidentally, the email address used for some of these illegal spam emails appears to have been obtained from CompareTheMarket.com. Nice.

From:    Fay Vinson
Date:    12 April 2017 at 09:19
Subject:    An imminent green light from the fda will send this drug maker soaring.

There are very few times in life when we truly get the chance to be part of something big, and profitable at the same time.

The doctors at QSMG have been working nonstop for more than 20 years to get to this moment a cure for cancer.

They completed animal trials last year which were very positive, and completed human trials just a few days ago with the fda's blessing.

The results are not out yet but according to my sources, the human trials were very successful as well and cancer cells were successfully killed in 40% of all cases.

40% might not seem like a passing grade, but it is above and beyond what everyone was expecting. This makes it the most successful cancer drug on earth, and best of all it is non-invasive.

The results will be announced this month, and once they are out the stock will jump to $25 a share overnight and will continue up to $50 or more quickly after.

Want to feel like a genius? Buy QSMG right now while it's still at just 2 dollars, and wait it out 2 weeks. You will be rewarded handsomely.

UPDATE 3

Another version of this spam is attached below. This "Stemvax" company is not actually part of QSMG, but according to a press release yesterday it's an intended acquistion. I wonder how they're paying for that company? Cash? Stocks? More after this spam..

From:    Araceli Rutledge
Date:    12 April 2017 at 15:34
Subject:    This company found a cure for cancer. Their stock is flying.

This is a super rare opportunity that may never come again. This biotech company has finally found a cure for cancer after more than 20 years of stem cells and immunotherapy research.

They had very positive trials both on animals and humans (according to my sources) where tumors got killed at a rate of 41%

Their medicine is going to change the world once it gets rolled out in a few months. We are awaiting an official announcement form the company in the next couple of weeks, but it seems I am not the only one in the know because their stock has quadrupled since last week.

QSMG is guaranteed to hit 25 bucks a share overnight once they release their announcement to the public. You really need to think about buying shares right now before it shoots up higher.
So.. I was researching this whole takeover thing and also found a similar but rather promotional commentary on a site oracledispatch.com which attributes the bump in QSMG shares to the Stemvax acquisition rather than the spam run.
Quest Management Inc (OTCMKTS:QSMG) had a nice day yesterday moving higher by 15% adding some needed liquidity. The driver for this move came from a Letter of Intent to acquire immunotherapy Biotech company Stemvax, Inc., from Dr. Dwain Morris-Irvin PhD. Upon Closing, Dr. Morris-Irvin will simultaneously become CEO of the newly formed Biotech division of Quest.
 Wait a minute. Let's look at that logo on this "news" site.



 My goodness, that looks very much like the logo of the entirely unrelated Oracle Corporation.

Anyway, every stock on that mentioned on that site looks like it could be a part of a paid promotion. That's not illegal per se. Spamming out millions of emails from a botnet of hacked machines is.

UPDATE 4

Another spam.. this time it's a "friend at the FDA" rather than "One of my friends at Goldman". Yead right.

From:    Teri Dunn
Date:    13 April 2017 at 08:58
Subject:    An imminent event is sending this stock price through the roof.

What if I told you that I know of a company that has actually found a cure for cancer.

They have proven its efficacy in animal tests and have recently just completed their testing on humans.

The results of the tests on the human subjects are not out yet, we are expecting them to become public some time in the next two to three weeks,
but a friend of mine who works at the FDA told me that they are life changing.

It seems that in around forty percent of cases, tumors were successfully destroyed. This number is absolutely huge!
It means that more than a third of the people with cancer can be cured with this therapy.

This is going to change the world, and once the announcement becomes public,
it is guaranteed that their stock price will go to more than 24 to 30 bucks in a matter of hours.

This is why I highly, highly recommend that you buy QSMG as soon as you can today. Get in ahead of the herd.
UPDATE 5

Another one. Perhaps the "I have a good friend who works at the fda" part should read "I have a good friend who is going to jail for securities fraud"?

From:    Socorro Conrad
Date:    13 April 2017 at 18:48
Subject:    Here is a tip that could change your life

I have a good friend who works at the fda, and from time to time he tells me about things before they happen.

This is why I am sending you this message today. Earlier this week he told me about a
company that has found a way to kill cancer tumors in 40% of all breast and prostate cases.

While this isn't a one hundred percent method, it works good enough to save over 50 million lives a year.
The company just completed human trials a couple of weeks ago and have yet to release the results.

Once those positive results hit the public, the company's shares are going to go nuts.

QSMG is currently at under 3 bucks a share. I can guarantee that it will pass 25 to 30 before the end of the
month when those results are out.

Act quickly by getting in now and securing yourself a position ahead of the herd.
UPDATE 6

Surprisingly, the US stock markets are open on Easter Monday so yet another version of this illegal pump-and-dump spam is coming out to prime people. In this case the P&D spam has driven the stock price up.. expect a sharp drop when people realise that it is bullshit.

From:    Milagros Galloway
Date:    17 April 2017 at 09:47
Subject:    This trading idea could tenfold your portfolio this month

In case you missed my email last week, timing is getting very tight now.

You must read on to understand why you must act quickly for your benefit, and the benefit of your friends and family.

If you recall, I told you that I have a friend who works at the food and drug administration who told me about a small company that has just completed human trials for a life-saving cancer therapy.

It seems that in about forty percent in instances, cancer receded. This is an enormous number.

There is nothing else on the market at the moment that can save 40% of patients with breast or prostate cancer.

This drug does.

The small company’s stock is going to go up from 2 dollars to over 30 dollars the moment that this announcement is made public within the next two weeks.

Your window opportunity to buy shares of QSMG is quickly closing. You must act quickly before you miss out.
UPDATE 7

It looks like the bubble has burst on this P&D spam, as there is a note of desperation here..

From:    Alta Stewart
Date:    17 April 2017 at 17:15
Subject:    Do not miss on this chance to triple your money in the market

There is a rare opportunity in the market right now, so rare that it may only happen once in a lifetime.

I have it on good information that a small biotech company is about to receive approval from the f d a for a life-saving medicine.

This medicine is poised to become the next biggest seller in the world as it has just been shown to kill cancer.

This is why there has been a lot of activity surrounding the stock. People are trading it on wrong information, and it's in the red today because of that.

I highly suggest that you buy in right now while fools are getting out, and the stock is cheap because it's going to go up twenty fold in the next 2 weeks

when the public announcement comes out, and the medicine is officially approved. Move quickly though, because otherwise you will miss out.

The opportunity to buy QSMG at these discounts will not last long, and you will regret you didn't jump in when you had the chance.
Yup.. the stock has crashed and burned today. Hardly surprising..


(Even as I am writing this the stock has just crashed below the $1 barrier). Ah well, anyone fooling enough to pay over the odds for this stock has just been burned. But who is actually making money from this stock manipulation?


UPDATE 8

QSMG stock continues to crater, but it hasn't stopped the spammers trying again..

From:    Jesus Cote
Date:    18 April 2017 at 09:39
Subject:    This stock tip is for your eyes only. The chance may never come again

I know of a cutting edge company that has just completed the development of a new life saving medicine. A friend who works at a high position, at a secretive place told me about it.

This medicine has been proven in both lab tests, and human tests to destroy tumors in almost 50% of of instances.

For all practical purposes, I would call it a cure for one of the most deadly diseases of our times.

Being the type of person that I am, I asked myself how we can profit from this information.

The answer is very simple. Within the next week or two, QSMG will make the announcement public and once they do, their stock will go up to over 20 bucks overnight.

So the trick is to grab shares right now, while their price is still dirt cheap and while nobody knows what's about to come.

This is how you get your big break. This is how your life will finally change. Take the leap forward.


---
Best Regards,
Jesus Cote

Yesterday it dropped 73%. It will be interesting to see if it continues its race to the bottom today.

UPDATE 9

After a few days off, the pump and dump spammers are trying again at the share price sticks at 72 cents. It says "This is probably the last time that I will contact you  with this information".. we can only hope. Perhaps coincidentally, QSMG announced they are in negotiations to buy another company.

From:    Arlene Sanders
Date:    24 April 2017 at 09:27
Subject:    This time sensitive information could make you very wealthy

If you missed my heads up over this last week and a half, this is finally your time to act because in just 48 hours something big is going to happen.

This is probably the last time that I will contact you  with this information.

My friend at goldman gave me a call over the weekend and told me that the big acquisition we’ve been waiting for is going to occur on Wednesday. The day after tomorrow.

Pfizer is going to complete the purchase of QSMG (a small, public company) at a price of 23.79 dollars a share. For those of you doing the math out there, that's approximately 30 times higher than where the stock is at now.

If you're wondering why it's happening at such a high price, that’s because these guys just completed human trials on a cancer drug which has proved to be effective in around 40% of cases, and big pharma wants this for itself.

I suspect that I am not the only one who might have heard of this news so the stock may start climbing today and tomorrow before the big announcement becomes public on Wednesday evening.

This is quite literally the chance of a lifetime. If you miss out, you'll probably never be able to make 30x on your money so fast again.

Ten grand into QSMG today will turn into a quarter million bucks by Thursday.


***
King Regards,
Arlene Sanders

UPDATE 10

It turns out that the last one wasn't the last one! You might even think that they are lying. And wait.. QSMG doesn't stand for Quest Science Management Gate at all, does it?

From:    Jeanne David
Date:    24 April 2017 at 16:30
Subject:    I have a tip to share with you

In less than 2 days, this stock will go up 20 times overnight.


I've done a lot for you over the years and you've made an insane amount of profits listening to me.

Today and tomorrow is your last chance to seize the opportunity before it disappears.

My good friend who works at a firm I will not mention in upstate NY told me that a big takeover is about to happen.

A little American biopharma company discovered a new treatment for cancerous tumors and one of the biggest companies (starts with a P) is going to announce the official takeover on Wednesday (in 2 days).

The price at which this will happen more than 20 times what their stock is trading at now. Literally at 23 bucks a share from a current 80 cents.

Write this symbol down, it's the first letter of each word: Quest Science Management Gate that's q followed by s then m and g

This is the 4 letter symbol you need to tell your broker you want to buy, or just type it in yourself in your brokerage.

I hope you're ready to make it big. I expect a big thank you and an invite for steak this weekend.




---
Best Regards,
Jeanne David

UPDATE 11

This spam mentions "Wednesday night" as being when this nonexistant takeover of this crappy stock will take place. Will the spam stop then?

From:    Patsy Sandoval
Date:    25 April 2017 at 09:24
Subject:    By tomorrow evening this stock will be twenty times higher

Did you read my urgent email yesterday?

I outlined very specifically a game plan for you to make more than 20 times on your principle within the next 48 hours.

Let me hit you with the gravy and leave out all the boring details… there's a friend of mine who works at a top 50 firm upstate and he was privy to details of a take over.

In a nutshell there is a very large pharmaceutical company (its name starts with a P) who is finalizing the acquisition of a small public corporation that is currently trading at around 80 cents.

The take over price will be a little over 20 bucks and the official announcement is coming tomorrow night (wed night).

They're paying this much for it because of a novel stem cell treatment which eradicates cancer.

I don't need to tell you what will happen to the share price when this announcement hits the news outlets.

The company's trading symbol is Q as in Quest, S as in Sam, M as in Mother, G as in Great.

These are the 4 letters you need to type into your brokerage account to buy the stock or give to your broker over the phone.

Just ten thousand bucks into this will turn into over two hundred grand by Thursday morning.

You need to act quickly though because it seems I may not be the only one with this information, as I am seeing the price creep up a little already since Monday.



-----
Best Regards,
Patsy Sandoval 
UPDATE 12

This one claims QSMG's "share price is going through the stratosphere". Umm no, it's just bouncing around in the somewhat volatile pumped range that it has been in all week. In my opinion the true value is probably rather closer to $0.00.



From:    Dante Odonnell
Date:    25 April 2017 at 15:54
Subject:    This company's being acquired tomorrow

Its share price is going through the stratosphere.



The cat might be out of the bag now but there is still a massive opportunity to benefit.

I say that the secret is out because the stock price has gone up two days in a row but the reality is that it must be very few people who know information otherwise it would've gone ten times higher.

In case you missed my message yesterday, here is what is happening.. A big pharma corp is acquiring a minuscule public co and this is happening at a price that is 20 times greater than where it currently is.

This means that if you can put 10 thousand in right now, you will take out 200 grand by Thursday morning.

This info is solid. It comes from an attorney who's a long time friend of mine and who literally saw the acquisition documents with his own eyes.

You must be wondering what the company's trading symbol is, and I will not tease you any longer… it's Q like in Quality, S like in Straight, M like Mary and G like Gold

These four letters together make up the company's ticker and that's what you will need to give to your broker, or type into your online account to purchase the stock.

I highly recommend you do this as quickly as possible because there is no guarantee that the price will remain this low much longer.

I expect it'll continue to rise and rise as the insider information spreads. Nonetheless the potential to benefit is absolutely gigantic here.




-----
Best Regards,
Dante Odonnell
UPDATE 13

If you believe the lies this spam is pushing, QSMG are going to be the subject of a takeover bid by Pfizer today. Obviously this is crap, but the spam still keeps trying to pump the share price up nevertheless.

From:    Reba Sykes
Date:    26 April 2017 at 07:28
Subject:    Your chance to make an amazing move is quickly slipping away

There is reason for excitement. A good friend of mine who works at a high place which I will not name told me about a crazy opportunity...

There is an acquisition about to be completed by a very large company.

They're buying out a small medical firm at more than 20 times what it's currently trading at.

This means that every ten thousand bucks you put in will turn into two hundred grand the moment the announcement becomes public.

The symbol for this company is the first letter of each of the following words: Quick, Should, Must, Get.

These 4 letters are what you must type in to your brokerage account or tell your broker in order to get the shares.

I really, really recommend you move on it quickly because the announcement will become public at any day now and this may be your last chance to get in before it's too late.


-------
Best Wishes,
Reba Sykes
UPDATE 15

This one (the 16th version) says (amongst other crap) "This guy has always been right so far. In fact if you remember, the tip I gave you last year… the one on which you made 15x in 2 weeks was from him. Yes, that's right." Funny I don't remember that particular investment. 'Cos it didn't happen.

From:    Jeromy Humphrey
Date:    26 April 2017 at 14:42
Subject:    This is your opportunity to get a 20 bagger in the market very fast

One of my closest buddies, who happens to be a banker, let me in on a little tip earlier on.

There's this really awesome small bio technology firm which has discovered something ground breaking,

and because of this unprecedented discovery they're about to be bought out for a little over 20 times their current value.

One of the most prominent large firms in America is about to make this news public.

When that happens, the small company's stock is going to virtually go up more than twenty three fold overnight.

Let me put this in perspective for you. It means that every 10 thousand bucks you put in this will turn into almost a quarter million when the news is out.

This guy has always been right so far. In fact if you remember, the tip I gave you last year… the one on which you made 15x in 2 weeks was from him. Yes, that's right.

So before I forget, here is the stock symbol.. It's the 1st letter of each of the following words: Quickly Super Mouse Green

I'm giving it to you in “code” in order to avoid potentially prying eyes, in case you are at the office, a cafe or something.

So with the first letter of each of these words, you've got your four letter symbol.

Input this in your online account to buy the stock or call your broker and give it to him and he will make the purchase for you.

One last thing, I don't know if I am the only one who knows this information so it's possible that the price will go up on other people buying,

but nonetheless if you can get in at under a buck twenty, I really recommend you jump on it as soon as physically possible.



--
Best Wishes,
Jeromy Humphrey

UPDATE 16

After a week or so of being quiet, the QSMG spam has started again. No mention of course of the non-existant takeover last week, but somebody somewhere must feel the need to pump up that stock price once more. The stock value has almost halved in a week. Oddly, QSMG's latest press release makes no mention of this stock manipulation.. now would be a good time to do so.



From: Ron Manning
Subject: Here's a life changing tip that will guide you through trump's America
Date: Tue, 02 May 2017 13:12:49 +0530

Given the current political climate, there are very few certain things in this world.

I can tell you first hand that I've had a hard time profiting in the market since Trump's administration came in a few months ago.

So I've looked long and hard for opportunities to leverage this unusual situation we find ourselves in here in America, and I have found the way.

Special circumstances call for special measures, and a friend of mine reached out to me over the weekend telling me that there's a small company on the verge of being bought out by a top 500 firm.

The price at which this will happen? 21 bucks a share from a current paltry 60 cents.

This means that every ten thousand of stock you buy, you'll make around 350k when the announcement comes out to the public in a few days.

Why am I telling you this? I want like-minded people to benefit as well and I'm tired of all the big shots making the big bucks.

Take it the way you will, but watch symbol : Quick Sure Mary Garage (use the first letters of each word to make up your 4 letter symbol which you'll use to buy the stock)

One way or another, whether you get in or not, this buy out is going to happen and people are going to make 35x on their principle.

Why not get a piece of the action?


***
Best Wishes,
Ron Manning



Monday, 19 December 2016

Malware spam: "Payslip for the month Dec 2016." leads to Locky

This fake financial spam leads to Locky ransomware:

From:    PATRICA GROVES
Date:    19 December 2016 at 10:12
Subject:    Payslip for the month Dec 2016.

Dear customer,

We are sending your payslip for the month Dec 2016 as an attachment with this mail.

Note: This is an auto-generated mail. Please do not reply.
The name of the sender will vary. Attached is a malicious Word document with a name like Payslip_Dec_2016_6946345.doc which has a VirusTotal detection rate of 12/55.

This Hybrid Analysis clearly shows Locky ransomware in action when the document is opened.

According to my usual reliable source, the various versions of this download a component from one of the following locations:

023pc.cn/8hrnv3
aguamineralsantacruz.com.br/8hrnv3
allard-g.be/8hrnv3
as-kanal-rohrreinigung.de/8hrnv3
aspecta-aso.net/8hrnv3
audehd.com/8hrnv3
audreyetsteve.fr/8hrnv3
baugildealtmark.de/8hrnv3
berstetaler.de/8hrnv3
birdhausdesign.com/8hrnv3
bperes.com.br/8hrnv3
brainfreezeapp.com/8hrnv3
delreywindows.com/8hrnv3
democracyandsecurity.org/8hrnv3
factoryfreeapparel.com/8hrnv3
garosero5.com/8hrnv3
globaser3000.com/8hrnv3
grafiquesvaros.com/8hrnv3
routerpanyoso.50webs.com/8hrnv3
skyers.awardspace.com/8hrnv3
www.andmax-rehabilitacja.pl/8hrnv3
www.bandhiga.com/8hrnv3
www.clinicafisiosan.com/8hrnv3
www.de-klinker.be/8hrnv3
www.foyerstg.pro/8hrnv3
www.globalchristiantrust.com/8hrnv3
www.neumayr-alkoven.com/8hrnv3
zimbabweaids.awardspace.com/8hrnv3

The malware then phones home to one of the following locations:

176.121.14.95/checkupdate (Rinet LLC, Ukraine)
193.201.225.124/checkupdate (PE Tetyana Mysyk, Ukraine)
188.127.237.76/checkupdate (SmartApe, Russia)
46.148.26.82/checkupdate (Infium, Latvia / Ukraine)


A DLL is dropped with a detection rate of 12/52.

Recommended blocklist:
176.121.14.95
193.201.225.124
188.127.237.76
46.148.26.82



Thursday, 15 December 2016

Malware spam: "Payment Processing Problem" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Juliet Langley
Date:    15 December 2016 at 23:17
Subject:    Payment Processing Problem

Dear [redacted],

We have to inform you that a problem occured when processing your last payment (code: 3132224-M, $789.$63).
The receipt is in the attachment. Please study it and contact us.


-
King Regards,
Juliet Langley

The name of the sender will vary, as will the reference number and dollar amounts. Attached is a ZIP file with a name somewhat matching the reference (e.g. MPay3132224.zip) containing in turn a malicious Javascript with a name similar to ~_AB1C2D_~.js.

My trusted source says that the scripts download a component from one of the following locations:

028cdxyk.com/mltxgc1
1688daigou.com/csuix
2lazy4u.de/ca4yq
adv-tech.ru/7p1jia
allan.multimediedesignerskive.dk/pohtr8mwl
amaniinitiative.org/ubaupn
artcoredesign.com/9ihg6by
atelier-coccolino.com/cvpphnaf7o
auto-zakaz.com.ua/phwcg
bantiki.me/hzzgidch
bikebrowse.com/qap3je2
blueprint-dsg.com/dtr22
bvntech.com/amrwwxei
chonamyoung.com/9vsdld
cprsim.com/h9o3msx
dealspari.com/r2jvx5h6kc
demo.ahost5.ru/dhvzqqbo
demo.pornuha4you.com/lba7ajvti
deutsch.awardspace.info/0zetkhmp
dicksmacker.com/qq4ctnrgc
dryerventexpress.com/pnpafot9g
elevationmusic.de/6gcg6
e-studiz.com/hn0hl7i
formatwerbung.de/axxlilgd
gieslerdavies.com/cjhwnit
goldenarms.myjino.ru/3wn40qkg
gwerucity.org.zw/a3fsqhu9od
happyfeet.de/7rebctpqn5
hho68.com/hbowe
honestflooring.com/85i95u6vd
houssiere.daniel.formations-web.alsace/npqddd8b
infinitecorp.ca/to7jp7
kawagebook.com/5cbwdd5hap
kayamuh.sarf.com.tr/nou0chc
ledticket.com/pbmcdnx5rj
lucapotenziani.com/zjtguxf
mainlinecarriers.co.tz/ycj7o
martawyczynska.com/ilfvn
mbdvacations.com/ou8kkem
movewithgrace.ca/r8omwc
obccllc.com/tze5um3hh
old.strommarnas.se/yazezuw7og
seven-cards.com/xe2llygi
spikaflora.ru/zyubd6mlb
store.elixe.net/jltuvjpcsh
test1.zrise.top/isk90e
testlife.ruyigou.com/pv2ryezg7
theexcelconsultant.com/vp9u7tpa
thezenatwork.com/yd2c49vg0
topstoneisland.com/ud4jqd
tunca.bel.tr/uo3jnqkgxn
ustadhanif.com/q0w93lkrvp
www.boldrini.org.br/csneth51
www.chocolaterie-servant.com/1l38y2p
www.englishworld.it/w6ynmr
www.kottalgenealogy.com/vkwf5rll0s
www.sapol.it/ou8e1ftep
zapotech.com/sqagj4
zhongguanjiaoshi.com/mklu7

The malware then phones home to the following locations:

185.129.148.56/checkupdate (MWTV, Latvia)
178.209.51.223/checkupdate [hostname: 454.SW.multiservers.xyz] (EDIS, Switzerland)
37.235.50.119/checkupdate [hostname: 454.2.SW.multiservers.xyz] (EDIS, Switzerland)


Recommended blocklist:
185.129.148.0/24
178.209.51.223
37.235.50.119

Malware spam: "Amount Payable" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Lynn Drake
Date:    15 December 2016 at 09:55
Subject:    Amount Payable

Dear [redacted],
The amount payable has come to $38.29. All details are in the attachment.
Please open the file when possible.


-
Best Regards,
Lynn Drake
The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js. The highly obfuscated script of one sample can be seen here. Typical detection rates for the script are around 16/54.

There are many different scripts, downloading a component from one of the following locations (thanks to my usual reliable source):

0668.com/k5bhgn
250sb.com./jynvmx
addwords.com.tr/aah6qmhv
anti-dust.ru/7k6cp
asdream.pl/gbbs1c
atio.li/exjik
bappeda.dharmasrayakab.go.id/dlhalychp
braindouble.com/uycx51ix
buhoutserts.ru/ufdazc6vv
casino-okinawa.com/ejguf
catherineduret.ch/5qpqi5ezp
chinaxw.org/xw1ju7y6zc
chungcuvinhomemydinh.com/6dvjasf
crolic88.myjino.ru/1ddig
demo.shispare.com/bvsjq
environment.ae/0od5hn
forbrent.com/h9kqgq
fyd123.cn/kib6h2d9ga
groupeelectrogeneservice.com/eefpeywf9z
hedefosgb.com/dpyzsb6u
hlonline.kentucky.com/i7z78
innercityarts.squaremdesign.com/dyo1w7
jianhu365.com/z9puqdj2eu
malamut.org/gizb2zq
obaloco.com.br/67mfj
peopleprofit.in/pyihdg
roman64.humlak.cz/7bnisgf
rulebraker.ru/zsw4cnf9o
scaune.qmagazin.ro/5hktu4h
slankmethode.nl/4zzq1am
subys.com/mjguriv80
szwanrong.com/x5qxzpjsi
tecnomundo.uy/a8rnlgzv
test1.giaiphaponline.org/0ytdjs1
test.sousouyo.com/feaetpnuee
theamericanwake.com/xw1ju7y6zc
travelinsider.com.au/mwaefb4b
trietlong.net/heyus
tx318.com/kqe4ca
ucbus.net/usdxqqt6
u-niwon.com/kmjg6j9ske
vaaren.dk/ogcz6ys0d
viscarci.com/wyqs6353
walkonwheels.net.au/qmd1uu
wdcd999.com/lm5z2snyqn
web-shuttle.in/eeo9oc
windshieldrepairvancouver.ca/qcp8k7
wiselysoft.com/qcymgbug7
wszystkodokuchni.pl/sl5yko7
wudiai.com/mc3hnwd
www.espansioneimmobiliare.com/akktnck
www.myboatplans.net/6d7ukeco6
wx.utaidu.com/1eybujbru
xlr8services.com/n970foumf
xn--k1affefe.xn--p1ai/8wzzjk24u
youspeak.pt/liowrtxs
yukngobrol.com/h7sfu
zhiyuw.com/qfbdcvrul
zwljfc.com/ld1pvjozu
zzzort10xtest123.com/nin5k3bwo

According to this Malwr analysis, a DLL is dropped with a detection rate of 18/55.  This Hybrid Analysis shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:

86.110.117.155/checkupdate (Rustelekom, Russia)
185.129.148.56/checkupdate (MWTV, Latvia)
185.17.120.166/checkupdate (Rustelekom, Russia)


MWTV is a known bad host, so I recommend blocking the entire /24.

Recommended blocklist:
86.110.117.155
185.129.148.0/24
185.17.120.166


Friday, 9 December 2016

Malware spam: "Firewall Software" leads to Locky

This spam appears to come from multiple senders and leads to Locky ransomware:

From:    Herman Middleton
Date:    9 December 2016 at 07:40
Subject:    Firewall Software

Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.

Please check it out.


--
King Regards,
Herman Middleton
IT Support Manager
Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated.

The Hybrid Analysis and Malwr report show that the script analysed downloads a component from welte.pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56. That Hybrid Analysis also detections C2 traffic to:

107.181.187.97/checkupdate [hostname: saluk1.example.com] (Total Server Solutions, US)
51.254.141.213/checkupdate (OVH, France)


It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:

91.142.90.46/checkupdate [hostname: mrn46.powerfulsecurities.com] (Miran, Russia)
195.123.209.23/checkupdate [hostame: prujio.com] (Layer6, Latvia)
185.127.24.247/checkupdate [hostname: free.example.com] (Informtehtrans, Russia)
176.121.14.95/checkupdate (Rinet LLC, Ukraine)
185.46.11.236/checkupdate (Agava, Russia)
178.159.42.248/checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)


Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are a at least a couple of bad /24 blocks in there.

Recommended blocklist:
51.254.141.213
91.142.90.46
107.181.187.97
176.121.14.95
178.159.42.248
185.46.11.0/24
185.127.24.247
195.123.209.0/24


Wednesday, 23 November 2016

Malware spam "Please Pay Attention" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Please Pay Attention
From:     Bill Rivera
Date:     Wednesday, 23 November 2016, 9:45

Dear [redacted], we have received your payment but the amount was not full.
Probably, this occurred due to taxes we take from the amount.
All the details are in the attachment - please check it out.
The name of the sender will vary. In the sample I analysed, a ZIP file was attached with a filename beginning
lastpayment_ followed by the first part of the recipients email address. This archive contains a randomly-named malicious .JS script that looks like this.

This particular script (and there will be others) downloads a malicious component from one of the following locations:

nielsredeker.nl/gmcoirnrm
gurlfanam.net/krwjx
vedicmotet.com/61y7mljr4
praam.cz/iessl
nightpeople.co.il/xklqq33nr

According to this Malwr report a malicious DLL is dropped with an MD5 of def0d0070d4aed411b84ebd713fd8b92 and a detection rate of 6/56.

The Hybrid Analysis clearly shows the ransomware in action and shows it communicating with the following URLs:

95.213.186.93/information.cgi [hostname: djaksa.airplexalator.com] (Selectel, Russia)
195.123.209.8/information.cgi [hostname: kostya234.itldc-customer.net] (Layer6, Latvia)
213.32.66.16/information.cgi (OVH, France)


Recommended blocklist:
95.213.186.93
195.123.209.8
213.32.66.16

Tuesday, 8 November 2016

Malware spam: "Suspicious movements" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Suspicious movements
From:     Marlene Parrish
Date:     Tuesday, 8 November 2016, 12:52

Dear [redacted], Leroy from the bank notified us about the suspicious movements on out account.
Examine the attached scanned record. If you need more information, feel free to contact me.
---
King regards,
Marlene Parrish
Account Manager
Tel.: 202-328-1800
U.S. Office of Personnel Management
1189 E Street, NW
Washington, DC 20415-1000
The names, addresses and telephone numbers will vary from message to message. Attached is a ZIP file (e.g. pdf_recipient_3608c4a.zip) which contains a malicious javascript (e.g. NRV_J51E8_.js) which looks like this (note the insane amount of whitespace).

That particular script downloads a malicious component from one of the following locations:

vexerrais.net/6sbdh
centinel.ca/wkr1j6n
3-50-90.ru/u4y5t
alpermetalsanayi.com/vuvls
flurrbinh.net/6mz3c5q


There will probably be other download locations. This Hybrid Analysis and this Malwr report show the Locky ransomware in action. This version of Locky does not appear to use C2 servers, but instead drops a malicious DLL with an MD5 of 75e6faf192d00b296d89df2cd56c454a and a detection rate of 9/56.

UPDATE

My usual reliable source (thank you) informs me that there are indeed C2 servers (see the end of the post). The download locations are as follows:

3-50-90.ru/u4y5t
365aiwu.net/hbdo6
85.92.144.157/y8giadzn
abclala.com/r2kvg2
abercrombiesales.com/nmuch6
accenti.mx/nryojp
acrilion.ru/84m9t
adriandomini.com.ar/bq62dx10
agorarestaurant.ro/cg06f
ajmontanaro.com/q9giar
alpermetalsanayi.com/vuvls
antivirus.co.th/jukwebgk
apidesign.ca/ijau8q2z
archmod.com/sapma828
assetcomputers.com.au/lkfpyww
avon2you.ru/ayz1waqm
ayurvedic.by/b9kk9k
babuandanji.jp/lq9kay
bepxep.com/mo05j41
berrysbarber.com/q6qsnfpf
bielpak.pl/a79a64h
bjshicheng.com/blewwab
bst.tw/gnjeebt
cafedelrey.es/snby1c
centinel.ca/wkr1j6n
cgrs168.com/xmej0mc
chandrphen.com/h4b1k
chaturk.com/mxaxemv1
cheedellahousing.com/h24ph1
ck.co.th/r2k6i6
codanuscorp.com/ay5v52r1
comovan.t5.com.br/byev5nd
competc.ca/qrc9n
concern-block.ru/nijp1xq
corinnenewton.ca/ctlt8b
cosmobalance.com/jsqlt0g
dekoral.eu/twnyr1s
dessde.com/zcwaya
dinglihn.com/zg3pnsj
dmamart.com/c5l2p
donrigsby.com/nts0mk
dowfrecap.net/0d08tp
dowfrecap.net/3muv7
dowfrecap.net/6f9tho
dowfrecap.net/7qd7rck9
drkitchen.ca/y5jllxe
drmulchandani.com/d6ymtf62
dunyam.ru/jge1b3e
dwcell.com/dph861ws
earthboundpermaculture.org/okez95b
edrian.com/dfc33k67
edubit.eu/b6ye94wv
eldamennska.is/h4yim
elektronstore.it/z298ejb9
elleart.nl/gn3pim41
eroger.be/918p2q
fibrotek.com/deoq2
flurrbinh.net/0nbir64
flurrbinh.net/3nrgpb
flurrbinh.net/6mz3c5q
flurrbinh.net/7wi66hp
geethikabedcollege.com/766epkuj
handsomegroup.com/ae2y1hr0
inzt.net/lbrisge
lashouli.com/rq4xoq3
odinmanto.com/0cz2zwz
odinmanto.com/2rw12
odinmanto.com/57evyr
odinmanto.com/7gplz
pastelesallegro.mx/ex67ri8
thisnspeel.com/04u77s
thisnspeel.com/2qrn06f
thisnspeel.com/3ypojyl0
thisnspeel.com/766epkuj
vexerrais.net/1jk8n
vexerrais.net/3nx3w
vexerrais.net/6sbdh
vexerrais.net/84fwijj
villaamericana.net/84fwijj
www.cutillas.fr/lmc80sdb

C2s:

185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd, Ukraine)
195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Latvia)
185.102.136.127/message.php [hostname: koltsov12.mgn-host.ru] (MGNHost, Russia)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
185.67.0.102
195.123.211.229
185.102.136.127
188.65.211.181



Monday, 7 November 2016

Malware spam: "Financial documents" leads to Locky

The never-ending Locky ransomware onslaught continues. This fake financial spam has a malicious attachment:

Subject:     Financial documents
From:     Judy Herman
To:     [redacted]
Date:     Monday, 7 November 2016, 10:53

Hi [redacted],

These financial documents need to be uploaded on the system.
Please let me know if you experience any technical problems.

Best Wishes,
Judy Herman 
Sender names will probably vary. In the sample I saw there was an attachment named fin_docs_f73856f4.zip containing a malicious script NRV_A194008F_.vbs that looks like this. This particular script (and there will be others like it) attempts to download from:

http://coachatelier.nl/lg8s2
http://bechsautomobiler.dk/m8idi9j
http://desertkingwaterproofing.com/ma4562
http://zapashydro.net/6sgto2bd
http://owkcon.com/6xgohg6i

According to this Hybrid Analysis, the malware then phones home to:

195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Bulgaria / ITLDC, Latvia)
185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd. / hostpro.com.ua, Ukraine)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
195.123.211.229
185.67.0.102
188.65.211.181




Thursday, 6 October 2016

Malware spam: "Your Order" and the inevitable Locky

This fake financial spam leads to Locky ransomware:

From:    Adrian Salinas
Date:    6 October 2016 at 10:13
Subject:    Your Order

Your order has been proceeded. Attached is the invoice for your order A-6166964.
Kindly keep the slip in case you would like to return or state your product's warranty.
Details will change from email to email. Attached is a ZIP file with a name similar to order_details_cb9782b.zip containing a malicious obfuscated javascript file named similarly to Cancellation Form 6328B32E.js

According to my source, these various scripts then download a component from one of the following locations:

activexsearch.com/yggv8
allinfo.xyz.com/zzi5zq2
aquatixbottle.com/yqr8i
askmeproperties.com/xc3db
asknaija.com/wvv5yh
atstory.com/zm2uojf
autokover.ru/z2oc4
b2c-batteries.com/hcgc64j
badimalik.com/dzqzl
bantayan.net/z3z3cc
baomoji.com/y6amo
betwer.com/t21j21t
booltom.com/19abb0h0
booltom.com/5nqlax
booltom.com/7dp0k
booltom.com/8qm9ldj
dipsite.com/r4f2wug
distribuidorabmk.com/wuv2rw
dvdworldmagazine.com/ptibu73
escolaemacao.com/rksgyuj
facerecognition.com.ba/cffdw
feuduprid.com/1xrdgx1j
feuduprid.com/6cpar
feuduprid.com/7sv4ygr9
feuduprid.com/aohsi
fifieoho.com/10a74fd
fifieoho.com/4u29v4
fifieoho.com/74uf3
fifieoho.com/8gplb
hdyzzs.com/qis3lqzw
kristiantouborg.com/trdmz3c
kronosmd.com/oqyxt
kuzeydogalgaz.com/gspiqv
laisou8.com/c4ecj8n
mayrice.net/07il79
mayrice.net/3w7eqv5
mayrice.net/6zok4n
mayrice.net/7uh0f
mgrshs.com/arabn
mmpang.com/h71zo4
mplaylist.com/mw921
nbjzpx.com/n9ih0k
net2008.com/mx93j63z
njykvalve.com/crk5x
numberoneenglish.com/b2v8x8
ofertacar.com/lzdp0id1
oguzhannakliyat.net/nhl290
onji.org/hox0lh
optimize4youseo.com/il9e7
oualili.org/kys133ec
ougelook.com/f7fr3
ozgurbasin.net/ceo09c
pandalove.ru/meft1bs5
peskara.com/n01afb
phaseiv.org/b0uo1
pioneerschina.com/xwks4
pmofmichigan.com/p1inbvn
prettymeuk.com/btvcc
print800.com/p3tw0nst
pro-units.ru/e8uosl
rbwm.ru/wvz996u
relishyomama.org/ebugjjni
sanalgelisim.com/pdjrz8w6
sccxtx.com/gdywsb9
sellflash.com/pjphz
sladetahil.com/1oiyflq
sladetahil.com/6763jdl
sladetahil.com/7fedf3f
sladetahil.com/99f2zg
speakrz.com/oa7ev
tbcthebillingcompany.com/u8uq8t5g
test1.unihost.link/rhh8saz
test.personne.ru/h3x2h682
vudie.com/uco3h8o
westpommern.com/ha0jaeo
winterferienhaus.com/sqfjn29
woodmode-eg.com/o47tu
yepi-games.net/wpp6wl0
zakscott.com/obg7n
zhiwuba.com/ogtkhy

The malware then phones home to the following IPs (belonging pretty much to the usual suspects):

46.8.44.105/apache_handler.php (Netart Group / Zomro, Ukraine)
91.219.28.76/apache_handler.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
188.120.236.21/apache_handler.php (TheFirst-RU, Russia)
217.12.223.78/apache_handler.php (ITL, Ukraine)
46.183.221.134/apache_handler.php (Dataclub, Latvia)

It attempts to contact the following domains, none of which were resolving for me:

vrqhyhyhfoqtetjj.su/apache_handler.php
aukahiofk.click/apache_handler.php
mbjyucltybuujwrec.pl/apache_handler.php
odktufycxibodtlgc.xyz/apache_handler.php
oglvsqvesshcq.work/apache_handler.php
tfgyuhlggusls.ru/apache_handler.php
senawhlqiyl.biz/apache_handler.php
gsrhrrx.su/apache_handler.php
sodugmdutpwo.click/apache_handler.php
ibmwyjowwkvquhftq.info/apache_handler.php
knsyllstwjfv.org/apache_handler.php
pxeuwhmghsnffbn.info/apache_handler.php

Recommended blocklist:
46.8.44.105
46.183.221.128/25
91.219.28.76
188.120.236.21
217.12.223.78


Thursday, 18 August 2016

Malware spam: "The office printer is having problems so I've had to email the UPS label"

This fake UPS email has a malicious attachment. It appears to come from various countries UPS domains (e.g. ups.de, ups.co.uk), and from various senders.

From     "Laurence lumb" [Laurence.lumb25@ups.de]
Date     Thu, 18 Aug 2016 17:35:21 +0530
Subject     Emailing: Label

Good afternoon

The office printer is having problems so I've had to email the UPS label,
sorry for the inconvenience.

Cheers

Laurence lumb
Attached is a ZIP file with a name beginning "Label" plus a random number. This contains a malicious .WSF script file that downloads Locky ransomware from one of the following locations (according to my trusted source):

a-plusrijopleiding.nl/jkYTFhb7
cloud9surfphilippines.com/jkYTFhb7
concurs.kzh.hi2.ro/jkYTFhb7
cs-czosnusie.cba.pl/jkYTFhb7
dasproject.homepage.t-online.de/jkYTFhb7
detlevs-homepage.de/jkYTFhb7
edios.vzpsoft.com/jkYTFhb7
entree22.homepage.t-online.de/jkYTFhb7
entrematicomstyle.com/jkYTFhb7
hanakago3.web.fc2.com/jkYTFhb7
infocoard.50webs.com/jkYTFhb7
mortony.cba.pl/jkYTFhb7
ramenman.okoshi-yasu.com/jkYTFhb7
rgcgifuhashima.aikotoba.jp/jkYTFhb7
sulportale.50webs.com/jkYTFhb7
wb4rsun8c.homepage.t-online.de/jkYTFhb7
www.1-anwalt.de/jkYTFhb7
www.alexpalmieri.com/jkYTFhb7
www.beneli.be/jkYTFhb7
www.bkcelje.50webs.com/jkYTFhb7
www.ceccatobassano.it/jkYTFhb7
www.fabriziorossi.it/jkYTFhb7
www.jphmvossen.nl/jkYTFhb7
www.kdr.easynet.co.uk/jkYTFhb7
www.learnetplus.org/jkYTFhb7
www.lechner-maria.de/jkYTFhb7
www.parma-vivai.it/jkYTFhb7
www.pizzeriaelite.it/jkYTFhb7
www.pulsefl.0catch.com/jkYTFhb7
www.unice.it/jkYTFhb7
zsp17.y0.pl/jkYTFhb7


This dropped binary has a detection rate of 6/54. It phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)
194.67.210.183/php/upload.php (Marosnet, Russia)

Recommended blocklist:
185.129.148.0/24
51.255.107.8
194.67.210.183






Monday, 15 August 2016

Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"

This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.

From:    orderconfirmation@esab.co.uk
Date:    15 August 2016 at 10:37
Subject:    Order Confirmation-7069-2714739-20160815-292650

_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof. 
Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:

marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV


The payload is Locky ransomware with a very low detection rate at present. It phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)

The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77


Friday, 12 August 2016

Malware spam: This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

This spam comes with a malicious attachment:

Subject:     Message from "CUKPR0317276"
From:     scanner@victimdomain.tld (scanner@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 12 August 2016, 14:00

This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

Scan Date: 17.11.2015 09:08:40 (+0000)
Queries to: <scanner@victimdomain.tld
The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to doc(171)-12082016.wsf

This Hybrid Analysis shows the script downloading a file from www.hi-segno.com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2.com and www.homesplus.nf.net) but a trusted source tells me that the following download locations appear in different scripts:

birthday-cards.50webs.com/02bjJBHDs
bonmoment.web.fc2.com/02bjJBHDs
broda.50webs.com/02bjJBHDs
coachinglegend2.atspace.com/02bjJBHDs
dopelx.com/02bjJBHDs
einfachwalter.homepage.t-online.de/02bjJBHDs
files.zdaspb.ru/02bjJBHDs
kolkhoz.web.fc2.com/02bjJBHDs
muteofficial.web.fc2.com/02bjJBHDs
portraitstaffa.de/02bjJBHDs
preglitzer.heimat.eu/02bjJBHDs
scom2.web.fc2.com/02bjJBHDs
seinyco.es/02bjJBHDs
sportpferde-weihmayer.homepage.t-online.de/02bjJBHDs
studiocorrado.org/02bjJBHDs
sv-sportscars.nl/02bjJBHDs
tianooze.web.fc2.com/02bjJBHDs
www.bitupont.hu/02bjJBHDs
www.ceccosport.it/02bjJBHDs
www.herinvest.be/02bjJBHDs
www.hi-segno.com/02bjJBHDs
www.homesplus.nf.net/02bjJBHDs
www.meckem.de/02bjJBHDs
www.meteoerba.it/02bjJBHDs
www.milleniumbar.it/02bjJBHDs
www.nikawilliam.net/02bjJBHDs
www.oxxengarde.de/02bjJBHDs
www.planetk.it/02bjJBHDs
www.smilehi.info/02bjJBHDs


The malware phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)

That Latvian network range is all bad, I recommend that you block the lot. The payload is Locky ransomware.

Recommended blocklist:
185.129.148.0/24
138.201.56.190


Thursday, 11 August 2016

Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"

This spam has a malicious attachment:

From:    Ashley [Ashley747@victimdomail.tld]
Date:    11 August 2016 at 11:13
Subject:    New Doc 6-6

Scanned by CamScanner


Sent from Yahoo Mail on Android

The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:

151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6


The malware is Locky ransomware, and it phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)

Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197

Thursday, 4 August 2016

Malware spam: "Business card" / "I have attached the new business card design." leads to Locky

This spam email has a malicious attachment:

From:    Glenna Johnson
Date:    4 August 2016 at 10:18
Subject:    Business card

Hello [redacted],

I have attached the new business card design.
Please let me know if you need a change


King regards,
Glenna Johnson
c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7
Sender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.

This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:

escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7


This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:

31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]

All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.

Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22






Wednesday, 3 August 2016

Malware spam: "As you directed, I send the attachment containing the data about the new invoices"

Another day, another Locky ransomware run:

From:    Marian Mcgowan
Date:    3 August 2016 at 11:15
Subject:    Fw: New invoices

As you directed, I send the attachment containing the data about the new invoices

Attached is a randomly-named ZIP file which contains a highly obfuscated .js script  which according to this Malwr analysis downloads a binary from..

blog-aida.cba.pl/2zensi7t

..when decrypted it creates a binary with a detection rate of 4/54. That same Malwr analysis shows it phoning home to:

93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]

This IP was seen last night and it seems that there is a concurrent Locky spam run phoning home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv.com]

Both those IPs are in known bad blocks.

Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24



Tuesday, 5 July 2016

Malware spam: "Scanned image" leads to Locky

This fake document scan appears to come from within the victim's own domain but has a malicious attachment.

From:    administrator8991@victimdomain.com
Date:    5 July 2016 at 12:47
Subject:    Scanned image

Image data has been attached to this email.
Possibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52 and 6/52. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:

leafyrushy.com/98uhnvcx4x
sgi-shipping.com/98uhnvcx4x


There will be a lot more locations too. This drops a binary with a detection rate of 5/55 which appears to be Locky ransomware. Hybrid Analysis shows it phoning home to:

185.106.122.38 (Host Sailor, Romania / UAE)
185.106.122.46 (Host Sailor, Romania / UAE)
185.129.148.6 (MWTV, Latvia)


Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be be Locky ransomware.

Recommended blocklist:
185.106.122.0/24
185.129.148.0/24



Tuesday, 28 June 2016

Malware spam: "report" / "I致e attached the report you asked me to send." leads to Locky

This spam has a weird problem with its apostrophe and comes with a malicious attachment:

From:    Kris Ruiz
Date:    28 June 2016 at 10:38
Subject:    report

Hi info,

I致e attached the report you asked me to send.


Regards


Kris Ruiz
Head of Finance UKGI Planning

The details of the sender will vary from message to message.

Attached is a ZIP file containing components of the recipient's email address and the words "report" and/or "pdf". Contained within is a malicious .js script file with a name starting with "swift".

This analysis comes from a trusted third party (thank you again). The script downloads a file from one of the following locations:

300tomoli.it/j8m7ktu
4k18.com/dfg4ad
adbm.co.uk/q2bmmhz
atlantaelectronics.co.id/xe1370n
bbmarilu.it/hkl9d
bbvogliadimare.it/il4cc3e
bibliadarkorbit.za.pl/i59j41zo
bisericaromaneasca.ro/trslckn
bobbysinghwpg.com/x42honx
bordur32.ru/re23zcb7
cameramartusa.info/u0uolg9
centrosportivoiunco.it/e8uxd
certifiedbanker.org/qjxfba
cond.gribochechki.ru/1vmcl8l
depaardestal.nl/3vfr61
dobramu.za.pl/4pc3kd9p
dragon.obywateleuropy.eu/4u22bfst
dugganinternational.ca/ksx6dv7
edilperle.it/d1mys2g
euro-support.be/xaf5349p
focolareostuni.it/oqtkiw
ft.driftactive.za.pl/7b03ffv
fuckcraft.xorg.pl/8cn8zeo
hate-metal.com/kgp8v
hudebiah.net/nskx4
ilbalconcino2011.it/e4ao4kky
ingstroymash.ru/cwiivhxu
jd-products.nl/t57vc86
marxforschung.de/0e7ac
mr2peter.de/o5ci15o
mycreativeprint.com/w3d7z6
namifitnessclub.it/f6hi6k
newgeneration2010.it/gupwqe1
potolok-profit.ru/q39aie
sprintbus.com.pl/9h7b0qnx
staffsolut.nichost.ru/jwz8i9
stbb.pt/40gnvp9a
tanie-pranie.za.pl/9e607
tip.ub.ac.id/v9wcojln
turniejkrzyz.za.pl/he2013lf
usdavetrana.it/dn81o
vonenidan.de/m3mmis
www.centroinfantilelmolino.com/qtuuvm2
www.johnlodgearchitects.com/haqew
www.pececitos.com/9ehkrke


The file is then decrypted (although I don't have a sample yet) and appears to be Locky ransomware. It phones home to the following servers:

109.234.35.71 (McHost.ru, Russia)
185.146.169.16 (Pavel Poddubniy aka Cloudpro LLC, Russia)
193.9.28.254 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
194.31.59.147 (HostBar, Russia)
195.123.209.227 (Layer6 Networks, Latvia)
217.12.223.88 (ITL, Ukraine)
217.12.223.89 (ITL, Ukraine)


Recommended blocklist:
109.234.35.71
185.146.169.16
193.9.28.254
194.31.59.147
195.123.209.227
217.12.223.88
217.12.223.89

Monday, 27 June 2016

Malware spam: "Requested document" / "The document you requested is attached" leads to Locky

This spam comes from various senders, and leads to Locky ransomware:

From:    Trudy Bonner
Date:    27 June 2016 at 15:39
Subject:    Requested document

Dear [redacted],

The document you requested is attached.

Best regards


Trudy Bonner
Group Director of Strategy
Attached is a ZIP file containing elements of the recipients email address, the words "document", "doc" or "scanned" plus a random number. Contained within is a random .js script beginning with unpaid.

Trusted external analysis (thank you as ever) shows the scripts downloading from one of the following locations:

192.186.246.134/~advancedptr/4kw2yb
210.171.0.30/~akfa8701/76p9su
216.218.93.172/~thelma2/7a4q7knx
217.172.226.2/~redpaluch/8ji21s5
217.172.226.2/~vikolor/3pdqsh
300tomoli.it/0qgidk55
3141592.ru/rvhijql
4k18.com/lpschs
80.244.134.169/x4jzt5
82.140.32.172/~hoddl/4etb1e1
adbm.co.uk/104ky
addonworks.com/aaotksj
angeelle.nichost.ru/sf0bm5rz
arogyaforhealth.com/apqbmvr
asliaypak.com/zcubi7
atlantaelectronics.co.id/kjdfbm
babycotsonline.com/hiy96z
beautifulhosting.com.au/ljtxwrr4
bisericaromaneasca.ro/amfcy
bobbysinghwpg.com/fx1jpyt
cameramartusa.info/qaghx
camera-test.hi2.ro/5w9tcm
certifiedbanker.org/faplav8m
clients.seospell.co.in/8jq6cu
climairuk.com/bv7haqcm
cond.gribochechki.ru/v84pn
delicious-doughnuts.net/t81of0k
empiredeckandfence.com/8wytfp
euro-support.be/jo1s8r3k
focolareostuni.it/1tl199rq
hudebiah.net/vyz44p8
immoclic.o2switch.net/mpzkos32
ingstroymash.ru/vi4hwfp
jd-products.nl/msjswnn
mycreativeprint.com/f9qa60q
potolok-profit.ru/w9oyt
sherlock.uvishere.com/2ujlndd
staffsolut.nichost.ru/wif31sug
tip.ub.ac.id/bzrnweoo
www.centroinfantilelmolino.com/2sgw0ch


The malware phones home to the following hosts:


51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
109.234.35.71 (McHost.ru, Russia)
185.82.216.61 (ITL, Bulgaria)
185.146.169.16 (Pavel Poddubniy aka CloudPro, Russia)
195.123.209.227 (ITL, Latvia)
217.12.223.88 (ITL, Ukraine)
217.12.223.89 (ITL, Ukraine)


Lots of ITL recently... you might want to block /24s here instead of single IPs.

Recommended blocklist:
51.254.240.48
109.234.35.71
185.82.216.61
185.146.169.16
195.123.209.227
217.12.223.88
217.12.223.89


Malware spam: DOC1234 / document4321 / Document56789 leads to Locky

This rather terse spam run leads to Locky ransomware and appears to come from the sender's own email account (but doesn't).

The subject is some variation of DOC / Document / document plus a number. There is a ZIP file attached with a name matching the subject, there is no body text.

Some examples

Subject: DOC541887
Attachment: DOC541887.zip

Subject: document36168
Attachment: document36168.zip

Subject: Document453567810
Attachment: Document453567810.zip

Contained within the ZIP file is one of several different .js scripts. Trusted third-party analysis (you know who you are, thank you!) shows download locations at:

calcoastlogistics.com/09ujnb76v5?yNVICJbit=nFikKFve
labthanhthanhpg.com/09ujnb76v5?yNVICJbit=nFikKFve
patmagifts.asia/09ujnb76v5?yNVICJbit=nFikKFve
shadowbi.com/09ujnb76v5?yNVICJbit=nFikKFve
www.tmdmagento.com/09ujnb76v5?yNVICJbit=nFikKFve


Detection rates for the dropped binary are 5/54. The malware phones home to the following IPs:

51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
217.12.223.88 (ITL, Ukraine)
195.123.209.227 (ITL, Latvia)
185.82.216.61 (ITL, Bulgaria)


Recommended blocklist:
51.254.240.48
217.12.223.88
195.123.209.227
185.82.216.61